check_iptables

Added $TABLE CHKIPTBLS=`/sbin/iptables -n -t $TABLE -L |wc -l` Added nrpe user to sudoers Defaults!/usr/local/nagios/libexec/check_iptables.sh !requiretty nagios ALL=NOPASSWD: /usr/local/nagios/libexec/check_iptables.sh I would not recommend adding to following to sudoers. nagios ALL= NOPASSWD: /sbin/iptables I also imported utils.sh and used it's exit codes but this may not be required. . /usr/local/nagios/libexec/utils.sh exit $STATE_OK exit $STATE_CRITICAL

Thanks for the check. I like to be able to check both IPv6 and IPv4, so that is what the edit below does: (Paths used in this script are adapted for Debian/ Ubuntu based systems.) #!/bin/bash case $# in 1) case $1 in -4) IPT='/sbin/iptables' ;; -6) IPT='/sbin/ip6tables' ;; *) ;; esac GREP='/bin/grep' AWK='/usr/bin/awk' EXPR='/usr/bin/expr' WC='/usr/bin/wc' STAT=0 OUTPUT='' CHAINS=`$IPT -nvL | $GREP 'Chain' | $AWK '{ print $2 }'` for CHAIN in $CHAINS ; do if [ "$CHAIN" != 'FORWARD' ] && [ "$CHAIN" != 'OUTPUT' ] && [ `$EXPR substr $CHAIN 1 4` != "LOG_" ] ; then CNT=`expr $($IPT -S $CHAIN | $WC -l) '-' 1` if [ $CNT -eq 0 ] ; then OUTPUT="${OUTPUT}ERROR $CHAIN $CNT rules!" STAT=2 else OUTPUT="${OUTPUT}OK $CHAIN $CNT rules" fi fi done echo $OUTPUT exit $STAT ;; *) echo "Usage: $0 [-4][-6]" exit 1 ;; esac

i've coded similar plugin independently when found this plugin already exist... http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/nagios-plugin-check_iptables/check_iptables differences are with my plugin: - can setup needed sudo rules if invoked with -S argument - you can specify warning and critical levels how many rules you need to have present - can check other tables/chains than filter/INPUT via command line args. License: GPL v2 (same as Nagios)